for Information Security Pei-yu Chen, Gaurav Kataria an Ramayya Krishnan,3 Heinz School, Tepper School an 3 Cylab Carnegie Mellon University Abstract: In this paper we analyze a software iversification-base strategy to achieve information security. The notion of using iversity to limit correlate risks is a wiely accepte strategy in many fiels. Various risk management approaches strive to minimize the variance of losses face by iniviuals by either risk pooling, as in insurance, or iversification, as in portfolio management. However, these approaches are avantageous only for risk-averse agents as the expecte loss remains unchange. Exploiting externalities unique to information systems, we show that iversification can not only reuce loss variance but also minimize expecte loss. We formulate the optimal amount of iversity investment by a firm taking into account both the negative network externalities accruing from attacks as well as positive network effects that accrue from uniformity an interoperability. Keywors: Computer security, Information security, Software security, Risk management
I. INTRODUCTION Network effects have been the riving force unerlying a firm s ecisions on technology aoption i.e. whether to aopt, what to aopt an when to aopt (Katz an Shapiro 985 an 986; Brynjolfsson an Kemerer, 996). In the case of software aoption, firms often fin it more valuable to aopt software which has large market share. By making a choice compatible to others firms enjoy positive network effects stemming from greater benefits of compatibility an interoperability both within an outsie the organization (Rohlfs 974). As a result, markets with network effects are usually tippy i.e. tipping in favor of one prouct (Farrell an Klemperer ). The rise of MS Winows as the most popular choice for esktop operating system can be mainly attribute to this very fact (Economies ). However, often ignore is the negative network externality associate with consuming popular software. This negative network externality has become increasingly important more recently as more an more security attacks take place, an at the same time, firms realize that their ability to stay secure is somehow epenent on the actions (e.g. patching) of others that use the same software. More specifically, a popular software may attract consierably more attacks ue to its high market share. An, by using popular software to interconnect with many partners, firms risk being attacke an affecte by the breaches at their partners (Kunreuther an Heal 3). Therefore, by joining a larger network (e.g., sharing a software with more users) a firm may face higher risk. This observation has lately gaine more traction since the recent string of some fairly evastating worms like MS-Blaster (CERT CA-3-) an Sasser (Symantec 4). These worms have exploite the vulnerabilities present in Microsoft Winows operating system to propagate from computer to computer, eventually targeting most of the unpatche machines connecte to Internet. Unfortunately, this meant most of all the worl s machines were affecte ue to the fact that over 9% of all client-sie computers use Microsoft Winows (Geer et al. 4). Whether the lower quality of Microsoft Winows Accoring to market researcher OneStat.com, Winows now controls 97.46 percent of the global esktop operating system market, compare to just.43 percent for Apple Macintosh an.6 percent for Linux.
or the size of Microsoft s market share is the cause for large numbers of attacks against it is unknown. Some observers have cite economies of scale as the main reason why most attackers choose to attack Winows machines (Honeynet Project 4, Symantec 4). It may be that in consiering positive network externalities alone an isregaring negative externalities firms have over investe in homogeneous systems. Some observers have even argue that this has le to market failure in the case of OS market (Geer et al. 4). In this research we aim to aress the following research questions: Can a firm benefit from investing in a ifferent IT infrastructure than other firms it oes business with? Can a firm benefit from maintaining a iversity of systems? Can society benefit from such iversity? What is the social cost of lacking iversity? An what is the optimal level of iversity at the firm an society level? We show that iversification not only reuces loss variance but also minimizes expecte loss. We also provie a framework for etermining optimal iversification strategy for a firm. In section II, we formulate the problem of a firm that nees to purchase software as a buget constraine ecision problem. In sections III an IV, we iscuss the benefit of homogeneity an reuction in expecte loss via iversity, respectively. In section V, we iscuss the optimal iversification strategy taking into account both the positive an negative externalities. Finally, we conclue by iscussing our results an escribing our larger research agena to incorporate the role of inustry, government an market forces for achieving socially optimal software iversity. II. IT BUDGET Expeniture on IT is a buget constraine problem that takes into account switching cost, training, migration, interoperability, an integration (Figure ). Security is a newly 3
emerging an increasingly important constraint in the IT buget allocation process. When selecting its software, a firm ecies how much uniformity it wants with the external worl an to what extent it is willing to stay istant (or iverse). We aopt the terminology of homogeneity (or iversity) to inicate on a scale of to the extent to which a firm is similar (or issimilar) in its choice of software with the rest of the worl. By staying homogeneous internally an externally it expects greater benefits of interoperability while risking catastrophic consequences via simultaneous failure of all its systems as has been the case with some recent worms 3. Figure : A firm has to choose between homogeneity an iversity with Interoperability an Security being the primary traeoff. We consier firm technology acquisition strategy, i.e., whether they shoul acquire technology of the same type to ensure maximum interoperability or they shoul mix- A Worlwie Stuy Conucte by CIO Magazine an PricewaterhouseCoopers in 3 sai Looking ahea to 4, security will become more strategic as companies invest greater resources in eveloping strategy, efining architecture an risk assessment. http://www.csoonline.com/csoresearch/report64.html 3 More than half of Korea s Internet backbone went own uring SQL Slammer worm just ue to enial of service (DOS) problem. 4
an-match ifferent technologies to reuce security loss. The strategic ecision variable is the level of iversity, with interoperability an security risk as the main traeoff. Other factors that can potentially impact the level of iversity are switching cost when firms have installe base from incumbent software. Without loss of generality, in our analysis we consier a firms software environment to consist of two technologies an incumbent technology an a competing technology. The firm may choose to have x proportion of its systems on incumbent software, while having the remaining -x on the competing software. Then, assuming a risk-neutral firm, the net utility erive can be written as follows: E[U(x )] = Benefit(x ) E[Loss(x )] () Where, Loss is stochastic an benefit is eterministic. Within this framework we iscuss benefits of homogeneity in Section III an benefits of iversity in Section IV. III. BENEFIT OF HOMOGENEITY The avantages realize by compatibility an integration have been iscusse in the IS an stanarization literature (Klemperer 987, Varian an Shapiro 999). In choosing software that has large market share, a firm ensures easy connectivity with its partners an suppliers, while at the same time, having all its internal systems operating on ientical software ensures seamless interconnectivity. The avantages of such a setup have been wiely iscusse in ata warehousing an process integration literature (IBM 4). 5
Figure : A firm s software choice affects its connectivity both internally an externally. The benefit of homogeneity is primarily the benefit of interconnectivity. In a stanarize environment this benefit shoul be inepenent of x, the level of iversity in a firm. Unfortunately, software interfaces toay are not stanarize, which means that having software from same venor on all computers provies an extra benefit to the firms. Benefit(of having a combination) = Where, K S [( xn ) + ( xn) + xn * M * E + xn *( M )* E] K S = Stanarization coefficient The stanarization coefficient is a scaling factor to enote the benefit of interconnection of two computers running same software platform. Some stanars o exist toay (e.g. SOAP an XML), however ue to many proprietary extensions an interfaces the full benefit of interconnection is not fully realize. The other variables in () are as follows: N = Number of computers in the firm x = Proportion of computers running incumbent software x = (-x ): Proportion of computers running the alternative software () 6
M = Market Share of software ; (-M) = Market Share of software E = Number of external computer that the firm may connect to Solving () for optimal software choice gives a binary outcome: a firm woul choose all software if it has greater market share, an if software has greater market share then it woul choose all software, other things being equal, as shown in figure 3 below. We note that in absence of negative externalities a firm woul prefer to invest only in the incumbent software (Farrell an Saloner, 985). May be this is the reason why society toay is over-investe in Winows. In the following section we iscuss the negative network externalities an show that reuction in losses via iversity can possibly compensate for the positive network effects with homogeneity. Optimal Diversity (X)..8.6.4....3.4.5.6.7.8.9 Market share of software Figure 3: Firms prefers all software when market share of is over 5%, when market share of increases above 5% it prefers all software. IV. LOSS REDUCTION VIA DIVERSITY By virtue of always being connecte an tightly integrate in online business processes, it is wiely accepte toay that firms receive numerous attacks on their systems. Even without counting targete attacks the baseline rate of stray virus/worm type of attacks on corporate networks is consierably high (CSI/FBI Survey 4). There is no oubt that 7
even after following best practices, systems fall prey to online attacks on a aily basis. Accepting this harsh reality most firms have measures in place to tackle these incients. Some information security risk management frameworks have been propose to better unerstan an tackle this problem (Hoo, Butler 3). Soo Hoo s approach focuses on Annualize Loss Expectancy (ALE) to choose between security measures, while Butler s approach is more qualitative an base on one-to-one interviews with the management to etermine the relative risks of possible outcomes an effectiveness of the risk mitigation approaches. A CMU-LBNL joint stuy on information security risk quantization states time-to-respon to an incient as the measure of loss incurre (Arora et al. 4). Recognizing that in aition to scale of the incient, ifferent type of incients require ifferent attention, they efine time to respon as a combination measure of various efforts incluing iagnostic, repair, legal, public relations, an manatory reporting; each of which is require in varying proportion to tackle ifferent incients. For instance, a virus attack may require no more than isk scanning an cleaning, while graffiti on the company s webpage is a public relations nightmare. Firms employ resources to tackle these scenarios which occur on a aily basis. In our research we moel the capability of the firm to respon to such scenarios as a fixe an limite resource. On the other han, the scale of the incients varies consierably on a aily basis. In this paper, we consier the number of computers affecte by a worm(s) outbreak on a ay, as a measure of the seriousness of the incient. In this case the contingency operation of the limite-resource IT epartment involves patching, backup an/or rebuiling systems. It is perhaps reasonable to assume that the loss to a firm ue to computers being affecte grows more than linearly to the number of computers affecte. Consier the following situation where the loss to the firm may be capture by the total waiting time (or owntime) to bring all the computers back up. If we assume that the IT epartment services the affecte computers in a sequential manner, then the organization faces lost prouctivity not only for the computer that is currently being service but also for all the other affecte computers that are waiting in some sort of queue for being service by the IT epartment. Therefore, the amage cause to the firm when y of its computers is affecte in a worm outbreak is of the form: 8
L ( y) = ky (3) Where, y is normalize such that it varies from zero to infinity. By this simple analysis we are trying to epict the loss to an organization as a function of y, the scale of incient (Figure 4). Even though this may not be the most accurate epiction of the loss function, it highlights the non-linear relationship between the loss accrue an the scale of the attack. The important point being that simple attacks are hanle with little or no effort (e.g. blocking ports by properly configuring the firewall) while the bigger incients require much extensive effort an owntime. The total service time increases rapily with increasing scale of attack. Figure 4: A convex loss function epicting the rapily rising service effort with increasing scale of incient. Because we know that the proportion of computers affecte on a ay is not fixe, it is instea likely to have a istribution where minor incients happen more frequently an major ones are not so frequent. A minor incient from the perspective of the firm is when just a few computers are affecte an a major incient is when a large percentage of computers are own. This assertion is not without factual support. Numerous websites 9
report vulnerability statistics which show that now-obsolete attacks are still being observe in large numbers an outate viruses are still in circulation 4. On the other han, once every few months we see a major worm which successfully exploits large number of computers worlwie (MS Blaster, Sasser, Coe Re, Nima etc). The LBNL- CMU stuy an Butler s interviews with security managers offer ata to support these statements (Arora 4, Butler 3). Base on these observations we moel the probability ensity function for the scale of incient as an exponential istribution, f ( y) Where, β y / β = e (4) y = number of computers affecte on a ay (Normalize to vary between zero an infinity) β = mean number of computers affecte on a ay The average number of computers affecte, β, may epen on many factors incluing, type of software service, type of inustry, inherent security level of software prouct, market share an/or sentiment against the software prouct etc. However, as shown in Table, Winows which has over 9% market share in client-sie operating system market receives 9.6% of attacks at ten most attacke ports. At the same time, the number of vulnerabilities iscovere in Winows outnumbers all other operating systems. Market share thus appears to have consierable influence on the attacks. 4 Symantec, CERT, ISC SANS etc report that many obsolete viruses an variant of alreay patche worms appear frequently.
Figure 5: Exponential pf of computers affecte with mean = β. On a given ay, it is more likely that fewer computers are affecte; the likeliness ecreases as the scale of incient increases.
Table : Top Ten Most Attacke Ports Accoring to SANS Institute Internet Storm Center Average number of source IP attacking Port/ this port Primary Protocol Service /7-/4 Target OS Vulnerability Relate Information 445/ tcp,up 35/ tcp,up 39/ tcp,up 3756 Winows epmap 598 Winows microsofts netbiosssn 5964 Winows 5/tcp RPC 645 Winows 6/up 53/ tcp,up PopUp Messenge 5645 Winows ns 3899 Linux/Unix 8/tcp http 979 433/tcp MS-SQL 9867 7/up PopUp Messenge Winows an Linux MS-SQL Server 3957 Winows 37/up netbios-ns 479 Winows CA-3-9: Exploitation of Vulnerabilities in Microsoft RPC Interface CA-3-: W3/Blaster worm CA-3-3: RPCSS Vulnerabilities in Microsoft Winows CA-3-9: Exploitation of Vulnerabilities in Microsoft RPC Interface CA-3-: W3/Blaster worm Current Activity 8/8/3: W3/Welchia Worm CA-3-3: Buffer Overflow in Winows Locator Service CA-3-9: Exploitation of Vulnerabilities in Microsoft RPC Interface CA-3-: W3/Blaster worm CA-3-3: RPCSS Vulnerabilities in Microsoft Winows Currently inboun scans are likely RPC an LSA exploit attempts against the Winows Source: Data compile from Internet Storm Center at SANS an US-CERT. Percentage attacking winows: 755 / 8764 = 9.6% Typically inboun traffic to this port is Messenger Spam CA--3: Multiple Vulnerabilities in BIND CA--7: Apache/mo_ssl Worm CA--33: Heap Overflow Vulnerability in Microsoft Data Access Components (MDAC) CA-3-9: Buffer Overflow in Core Microsoft Winows DLL Current Activity 8/8/3: W3/Welchia Worm Inboun scans are typically looking for Microsoft SQL Server installations with weak passwor protection an if successful are looking to steal or corrupt ata or use some features with SQL Server to compromise the host system. Typically inboun traffic to this port is Messenger Spam CA-3-8: Increase Activity Targeting Winows Shares CA-3-3: RPCSS Vulnerabilities in Microsoft Winows
Now, given the loss function an the pf of scale of incient, we can calculate the expecte loss to a firm. E( loss) = = k = k * β y e β L( y) f ( y) y y / β y (5) Without loss of generality we assume k =/ for rest of the analysis. IV. Diversity As A Means To Security We have shown earlier that consiering compatibility alone leas to homogeneity. However, homogeneity may also lea to higher security risk (Kunreuther an Heal, ; Geer et al, 4). In this section, we woul like to examine whether iversity can be an effective way to achieve higher security level, an how much iversity is neee in orer to reuce expecte loss ue to security threats. Consier, the firm ecies to iversify its software use in orer to reuce the chances of simultaneous failure of many computers; it may o so by keeping x proportion of its computers on the incumbent software while switching to a competing prouct for the remaining (-x ) portion. In orer to etermine the expecte loss when a firm ecies to use a combination of software, we nee to calculate the pf of total number of computers affecte which in this case is the combination of two ranom variables, y = x + (6) y x y Where, y = total computers affecte by attacks on both types of software platforms x y = total computers affecte by attacks on incumbent software 3
x y = total computers affecte by attacks on competing software; x = - x If both the software proucts/platforms are nearly ientical except that bugs in one are inepenent of other, then we can assume that β = β, which implies that the pf of y is f y / β ( x ) y / βx ) = ( e e ) (7) β( x ) ( y Continuing further we calculate the expecte loss, as E( loss) = L( y = β ( + x x ) ) f ( y ) y (8) Minimizing the expecte loss with respect to x, we get the minimum value as.75β for x =.5. This result is not surprising as we assume the two proucts to have equal β. However, since we normally observe the proucts are not ientical in their characteristics, the number an intensity of attacks face by two proucts is usually ifferent leaing to ifferent values for β. Therefore we next assume that, β = β while β = m*β Where, m = is a function of all the factors that cause severity or number of attacks against a prouct to increase, possibly its larger market share. Iniviually the probability ensity for y an y can be given by, f ( y ) β y / β y / mβ = e an f ( y ) = e (9) mβ The pf of the y can be calculate as 4
f ) = y / mβ ( x ) y / βx ( e e ) β( m( x ) x ) () ( y Now calculating the expecte loss as we i before in the case of no iversity, E( loss) = L( y = β [ m ( x ) ) f ( y + x ) y + mx ( x )] ().5 E(loss).5.5 m=.5 m=.75 m=. m=.5...3.4.5.6.7.8.9 X Figure 6: Normalize Expecte loss as a function of x for four ifferent values of m. E.g. when two proucts are almost ientical then E(loss) is minimum at x =x =.5 Differentiating E(loss) with respect to x, we see that the minimum loss is realize when, m m x = () ( m m + ) As an illustration, when m =.9 (i.e. when prouct on average receives % fewer computer casualties than prouct ), then the optimal amount of iversity is x =.396. This means that prouct which is superior in its security shoul be use for 6% of the computers. Another interesting observation from this analysis is that iversity is effective 5
in reucing expecte security loss when the ratios of the security levels of non-incumbent software to incumbent software is between.5 to (as shown in Figure 6). That is, even though the non-incumbent software is not as secure as the incumbent software, a firm may still benefit from acquiring non-incumbent software for a small set of its machines. The optimal amount of iversity i.e. x (=-x ) is plotte against m in Figure 7.. Optimal Diversity (X).8.6.4...4.6.8..4.6.8. m: an inicator of higher attacks (possibly market share) Figure 7: Optimal amount of iversity as a function of relative security m; higher m implies that software receives more attacks vis-à-vis software. It may also be interesting to consier the impact of iversity on the variance of loss, given that a small variance is generally preferre to a large variance. Therefore, extening the above analysis to account for the variance of the loss we have, V ( loss) = E( loss = L ( y ) f ( y ) E ) y ( loss) L( y ) f ( y ) y 5 5 5 3 3 3 4 ( m ( x) x ) ( m ( x ) + x ) = 6β β (3) m( x) + x m( x ) + x 4 =.88β evaluate at [ m =.9, x =.396] As compare to variance of loss when only software is use given by, 6
V ( loss) = E( loss = 4 4 = 6β β 4 = 5β ) E L ( y) f ( y) y ( loss) L( y) f ( y) y (4) Thus, in aition to the reuction in expecte loss firms also see a five fol reuction in their variance when they switch 6% of their system from an incumbent to a competitor which is % safer. V. OPTIMAL DIVERSITY Prior literature on technology an software aoption has consiere only positive network externalities an has not taken negative network externalities into account. However, recent inustry reports (Geer et al. 3) suggest that negative network externalities exist an take the form of a higher security risk associate with consuming a popular software. This paper is, to the best of our knowlege, the first attempt to analyze security risks an iversification strategies using the lens of positive an negative network externalities. We offer a way to quantify the benefits of iversity an show that iversity can be an effective way to reuce security risk by reucing expecte loss an variance of loss. There are a number of extensions we are working on as part of future work. For instance, if firms make choices as escribe in our paper, we recognize that market shares of the incumbent an competing software will change an thereby alter their market shares. This calls for an analysis of equilibrium behavior an we are pursuing this within a fulfille expectations framework (Katz an Shapiro 985). The goal of this optimization strategy is to maximize the overall utility realize by the firm. Without more concrete ata we cannot precisely estimate the exact amount of iversity require. However, we believe that more careful examination of ata can give reliable estimates for the parameters of our moel. In the following section we iscuss 7
our larger research agena an escribe how we plan to precisely estimate those parameters. VI. DISCUSSION AND CONLCUSION Recent ata from our honeynet sensor gri reveals that the average life expectancy to compromise an unpatche Linux system is 3 months..ata from the Symantec Deepsight Threat Management System inicates a vulnerable Win3 system has life expectancy not measure in months, but merely hours. -Honeynet Project: Tren Analysis Dec 4. Winows has long been the popular choice for esktop computing, but as more alternatives emerge e.g. Linux an Mac OS X, firms may prefer some lack of interconnectivity for reuction in security losses. However, some questions still remain: is maximization of utility a corner solution in favor of homogeneity as has been the case in the past? Can a society benefit from iversity? What s the social cost of lacking iversity? In our research we aim to estimate the optimal level of iversity for both an iniviual firm as well as for society. In this paper, we have presente a novel framework to incorporate the benefits of both homogeneity an iversity in software omain. Specifically, we have shown that epening on the characteristics of the firm, inustry in general, an type of software, ifferent levels of iversity may be optimal. We are now intereste in aressing some of the important questions like: shoul large firms prefer more iversity as compare to small firms, shoul government manate stanarization an shoul government subsiize evelopment of competing software. We hope to answer these questions by builing a more accurate moel for lost prouctivity as a function of scale of incient, an estimating the same using the call center ata from CMU computing services. 8
REFERENCES Arora, A., D. Hall, C. A. Pinto, D. Ramsey an R. Telang (4). Measuring the Risk- Base Value of IT Security Solutions, IEEE IT Professional Magazine, 6(6): 35-4. Brynjolfsson, E. an C. Kemerer (996). Network Externalities in Microcomputer Software: An Econometric Analysis of the Spreasheet Market, Management Science, 4(): 67-647. Butler, S. (). Security Attribute Evaluation Metho: A Cost Benefit Approach, International Conference on Software Engineering (ICSE ). Cert (3). CERT Avisory CA-3- W3/Blaster Worm, http://www.cert.org/avisories/ca-3-.html CSI/FBI (4). Ninth Annual- Computer Crime an Security Survey. http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml Economies, N. (). The Microsoft Antitrust Case, Journal of Inustry, Competition an Trae: From Theory to Policy, (): 7-79. Farrell, J. an G. Saloner (985). Stanarization, compatibility an Innovation, Ran Journal of Economics, 6: 7-83. Farrell, J. an P. Klemperer (). Coorination an Lock-in: Competition with Switching Costs an Network Effects, in M. Armstrong an R. Porter, es., Hanbook of Inustrial Organization, vol. 3. Geer, D., R. Bace, P. Gutmann, P. Metzger, C. Pfleeger, J. Quarterman, B. Schneier (3). CyberInsecurity: The Cost of Monopoly How the Dominance of Microsoft's Proucts Poses a Risk to Security, http://www.ccianet.org/papers/cyberinsecurity.pf Honeynet Project (4). Know Your Enemy: Trens, http://www.honeynet.org/papers/trens/life-linux.pf Hoo, K.S. (). How much is enough? A Risk Management Approach to Computer Security, Workshop on Economics an Information Security, University of California, Berkeley. IBM Inc. (4). IBM e-business Technology, Solution, an Design Overview, IBM Rebooks, http://www.rebooks.ibm.com/rebooks/sg4648.html Katz, M. L. an C. Shapiro (985). Network Externalities, Competition, an Compatibility, American Economic Review, 75(3): 44-44. 9
Katz, M. L. an C. Shapiro (986). Technology Aoption in the Presence of Network Externalities, Journal of Political Economy, 94(4): 8-84. Klemperer, P. (987). Markets with Consumer Switching Costs, The Quarterly Journal of Economics, MIT Press, (): 375-94. Kunreuther, H. an G. Heal (3). Interepenent Security, Journal of Risk an Uncertainty, Kluwer Acaemic Publishers, 6(): 3-49. Rohlfs, J. (974). A Theory of Interepenent Deman for a Communications Service, Bell Journal of Economics, 5(): 6-37. Shapiro, C. an H. Varian (999). Information Rules: A Strategic Guie to the Network Economy, Boston: Harvar University Press. Symantec Inc. (4). Symantec's Internet Security Threat Report, Volume VI, September 4.